The Weak Link in a Double Act: U.K. Law is Inadequate for Proposed Cross-Border Data Request Deal

The United Kingdom has been a key partner in the United States’ efforts to reform the process that law enforcement officials use to make cross-border requests for data. These efforts address both foreign governments’ requests for data stored in the U.S. and reciprocal requests by the U.S. government for data stored abroad. As part of these efforts, the U.S. and the U.K. have negotiated a draft bilateral agreement (“U.S.-U.K. agreement”)—the text of which is not public—that would allow the British government to request data directly from a U.S.-based provider in accordance with U.K. law, bypassing the mutual legal assistance process. In turn, the agreement would also permit the U.S. to request data directly from a U.K.-based provider.

In the U.S., implementing the agreement requires Congressional action. In July 2016, the U.S. Department of Justice proposed draft legislation (“U.S. DOJ legislation”) that would permit the executive branch to make this kind of agreement with the U.K. and other approved partners. In the last few months, the House Judiciary Committee and the Senate Judiciary Subcommittee on Terrorism and Crime have held hearings addressing both the U.S. DOJ legislation and the U.S.-U.K. agreement. Among the witnesses at each hearing was Paddy McGuinness, the U.K.’s deputy national security advisor, who testified in support of the U.S.-U.K. agreement.

Introduction of the U.S. DOJ legislation sparked immediate scrutiny and much policydebate. Although the U.S. DOJ legislation itself suffers from various shortcomings, we seek here to highlight several troubling aspects of the current U.K. surveillance framework, which was recently reformed with the enactment of the Investigatory Powers Act (“IPA”). Parliament was still debating the IPA when the U.S. DOJ legislation was released, meaning some provisions may have been negotiable in response to cross-border data request considerations, but it has since been enacted into law.

The pairing of the U.S. DOJ legislation with the U.S.-U.K. agreement presumes that the U.K. serves as an ideal test case for implementation. Yet, the U.K. surveillance framework as enacted—which differs dramatically from that of the U.S. in certain respects—falls short of even the standards proposed by the U.S. DOJ legislation. It therefore merits greater consideration as part of any domestic policy debate regarding the DOJ’s proposed approach.

British Warrants Are Overbroad and Lack Particularity

The U.S. DOJ legislation states that “[o]rders issued by the foreign government must identify a specific person, account, address, or personal device, or any other specific identifier” and must also “be based on requirements for a reasonable justification based on . . . particularity . . . regarding the conduct under investigation.” In contrast, the IPA permits so-called “targeted” warrants to “relate to” broad classes of persons or entities. Thus, the IPA states that “a targeted interception warrant . . . may relate to a group of persons who share a common purpose or who carry on, or may carry on, a particular activity.” The IPA also states that “a targeted interception warrant . . . may relate to . . . more than one person or organization, or more than one set of premises” that pertain to a single investigation.

These two categories of “targeted” warrants permit law enforcement to intercept content without needing to specify the target of the interference. The draft Code of Practice on the Interception of Communications, which provides guidance on the implementation of the IPA, underscores the permissible breadth of warrants. Indeed, it states that, “it may not always be reasonably practicable to include the names or descriptions of each and every one of the persons, organisations or sets of premises.” Moreover, it asserts that there is “no requirement to modify” such warrants during their “currency” to add names or descriptions of targeted entities.

The breadth and vagueness of British “targeted” warrants is incompatible with the U.S. DOJ legislation. Despite this clear incompatibility, in his written testimony before the House Committee and Senate subcommittee, McGuinness asserted that the U.S.-U.K. agreement would “[l]imit access to targeted orders for data (i.e. a specific individual, phone number, email address or other identifier), and not bulk access to data.” McGuiness’s statement is ambiguous as to whether he was committing the U.K. to seek only warrants specifying an “individual, phone number, email address or other identifier” for requests pursuant to the U.S.-U.K. agreement or simply providing an example of one type of “targeted” warrant under the IPA. This uncertainty is compounded by the fact that the IPA separately authorizes its intelligence agencies to seek “bulk interception warrants.”

British Judicial Scrutiny Is Inadequate

The U.S. DOJ legislation requires that warrants issued by foreign governments “be subject to review or oversight by a court, judge, magistrate, or other independent authority.” For many years, the U.K. was alone among the Five Eyes in not requiring judicial authorization for interception warrants. The IPA attempts to remedy this lacuna by creating “judicial commissioners,” who review surveillance warrants before they issue. However, their appointment process and the limits of their review means British judicial scrutiny falls short of what is required under the U.S. DOJ legislation.

Under the IPA, the prime minister appoints judicial commissioners, a diversion from the process for ordinary judges, which involves selection by the independent Judicial Appointments Commission. Permitting the executive to appoint judicial commissioners inappropriately blurs the lines between the branches, risking political bias on the part of the judicial commissioners. This concern is exacerbated by the three-year terms of office for the commissioners. The brevity and renewable nature of these terms renders the commissioner role inherently insecure, increasing the risk that their decisions will be biased towards the executive.

The judicial commissioners are also limited in the scope of their scrutiny. In deciding whether to approve the issuance of a warrant under the IPA, judicial commissioners may only apply the British “judicial review” standard, which arguably gives judges less power than the American understanding of that term. The precise contours of this standard are subject to some debate. But one common interpretation, which also appears on the website of the British judiciary, is that this standard constrains review to the procedural propriety of the decision and prohibits examination of the merits. Examining warrants on their merits is a crucial component of independent judicial review.

In addition, the IPA permits the relevant U.K. minister (known as a “secretary of state”) to appeal a commissioner’s refusal to approve a warrant to the investigatory powers commissioner, who is also appointed by the prime minister. The right to appeal is unconstrained and simply gives the secretary of state a second bite at the apple if displeased with the decision of a judicial commissioner. This right is particularly troubling given the executive influence in appointing the judicial commissioners, including the investigatory powers commissioner.

The U.S. DOJ legislation requires consideration of whether a potential partner country’s domestic laws include “sufficient mechanisms to provide accountability and appropriate transparency regarding the government’s collection and use of electronic data.” Challenging evidence obtained through surveillance in court is a key aspect of providing accountability.

The IPA, however, preserves the U.K.’s long-standing ban against the admission of evidence obtained through interception warrants in U.K. court proceedings. Indeed, the IPA prohibits the disclosure of any content and secondary data from which their “origin in interception-related conduct may be inferred” as well as any evidence that “tends to suggest” interception “has or may have occurred.” The U.K. government’s basis for this ban is primarily rooted in the argument that the admission of intercept evidence would compromise interception capabilities by revealing them to suspected criminals and terrorists.

The U.K.’s ban on the admissibility of intercept evidence in court makes it an outlier among common law countries, including the U.S. It raises a number of important implications for the right to a fair trial. That right comprises the requirement that defendants have access to all relevant evidence (including exculpatory evidence), so that they may prepare their case and challenge that of the prosecution. The inadmissibility of intercept evidence also has negative systemic effects. If intercept evidence is never used in court, it can never be challenged in adversarial, public proceedings. And yet, challenging such practices in this manner can be an important avenue for testing and curtailing government surveillance powers.

The U.S. DOJ legislation does not make the admission of intercept evidence an explicit requirement for partner countries. Nevertheless, its prohibition under the U.K. surveillance framework raises serious concerns about whether the U.K. meets the U.S. DOJ legislation’s requirement of affording “robust substantive and procedural protections for privacy and civil liberties,” including adequate protection of the right to a fair trial, and adequate transparency and accountability of surveillance practices.

Conclusion

The gap between aspects of the U.K. surveillance framework and the requirements of the U.S. DOJ legislation are substantial and troubling. U.S. efforts to reform cross-border data requests are an opportunity to encourage other countries to meet certain baseline standards, with the reward being access to U.S.-based data. The incentive to meet these standards could be substantially undermined by the U.S.-U.K. agreement. Allowing the U.K. access to U.S. data pursuant to its current surveillance framework will signal that baseline standards mean little to the U.S. and that countries do not need to reform their national frameworks to meet those standards. Instead, it will demonstrate that national interest trumps principled concerns.

Scarlet Kim is a Legal Officer at Privacy International, a UK-based human rights NGO focused on issues arising at the intersection of privacy and technology. Scarlet previously worked as an Associate Legal Adviser at the International Criminal Court and as a Gruber Fellow in Global Justice at the New York Civil Liberties Union. She served as a clerk on the U.S. District Court for the Eastern District of New York and is a graduate of Yale Law School. She is a U.S.-qualified lawyer and is admitted as a Solicitor in England and Wales.

Mailyn Fidler is a fellow at the Berkman Klein Center for Internet & Society at Harvard University studying the exercise of power in the Internet society. She is a graduate of Stanford and Oxford Universities, where she was a Marshall Scholar.